Palo Alto Networks

The next generation of firewalls

What we will discuss today

What makes Palo Alto different Palo Alto mode configurations Common methods Palo Alto firewalls are physically implemented Policy based VPN vs. Route based VPN

SSL VPN
Helpful troubleshooting information

Where to obtain further knowledge for Palo Alto firewalls

Questions and Answers

What makes Palo Alto different?

Application Usage and Risk Report (7th Edition, May 2011) The Palo Alto Networks' Application Usage and Risk Report summarizes application traffic assessments performed between October 2010 and May 2011 on more than 1,253 networks worldwide. With a sample size of 1,253 participating organizations, a number that is nearly double that of the previous report, and a view into more than 28 exabytes (28,046,165,463,032,900,000) worth of data, the latest edition of the Application Usage and Risk Report (May 2011) is, arguably, the largest application analysis of its kind. http://www.paloaltonetworks.com/literature/forms/aur-report.php Palo Alto embraces feedback thriving with input from their user community. This is EXTREMELY important. Do you remember Michael Lynn, Black Hat, and Cisco in 2005? Instead of embracing this experts input and truly supporting open disclosure Cisco sues Black Hat and Michael Lynn for disclosing a 0 day vulnerability in the Cisco IOS. The issue you ask? Running unauthorized code on a Cisco router. Do you think it is important for us to know this as well as Cisco fixing the issue? Palo Alto offers multiple methods to ensure the traffic traversing your network is identified utilizing a new approach to identify assets. Here we go..

What makes Palo Alto different? (continued)

Based on patent-pending App-ID technology, Palo Alto Networks' next generation firewalls accurately identify applications - regardless of port, protocol, evasive tactic or SSL encryption - and scan content to stop threats and prevent data leakage. Enterprises can for the first time embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation.
Here are some of the unique capabilities available only in next generation firewalls from Palo Alto Networks. * The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information. * The only firewall to identify, control and inspect SSL encrypted traffic and applications. * The only firewall with real-time (line-rate, low latency) content scanning to protect against viruses, spyware, data leakage and application vulnerabilities based on a stream-based threat prevention engine. * The only firewall to provide graphical visualization of applications on the network with detailed user, group and network-level data categorized by sessions, bytes, ports, threats and time. * The only firewall with line-rate, low-latency performance for all services, even under load.

What makes Palo Alto different? (continued)

Palo Alto provides the following features App-ID classifying traffic on all ports all the time irrespective of protocol, encryption, and/or any other evasion tactic
Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-IDTM, a patent-pending traffic classification mechanism that is unique to Palo Alto Networks, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.

What makes Palo Alto different? (continued)

[Continued] App-ID
Classify traffic based on applications, not ports. App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner: Traffic is first classified based on the IP address and port. Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics. If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow. Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP). For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application. As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.

What makes Palo Alto different? (continued)

User-ID securely enable applications on your network based on users and group not just IP addresses
Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Palo Alto Networks next-generation firewalls integrate with the widest range of user repositories on the firewall market, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user based.

Content-ID Real-time content scanning block threats, controls web surfing, and limits data and file transfers
Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content. The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include: Protocol decoder-based analysis statefully decodes the protocol, Protocol anomaly-based protection detect non-RFC compliance protocol usage, Stateful pattern matching detects attacks over multiple packets, Statistical anomaly detection prevent rate-based DoS floods, Heuristic-based analysis detect anomalous packet and traffic patterns such as port scans and port sweeps, Custom vulnerability or spyware phone home signatures that can be used in either the antispyware or vulnerability protection profiles, Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation, and TCP reassembly to protect against evasion and obfuscation methods.

URL Filtering by Bright Cloud

Complementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities.

What makes Palo Alto different? (continued)

[Continued]: Content-ID File and Data Filtering
Data filtering features enable administrators to implement policies that will reduce the risks associated with the transfer of unauthorized files and data. * File blocking by type: Control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension). * Data filtering: Control the transfer of sensitive data patterns such as credit card and social security numbers in application content or attachments. * File transfer function control: Control the file transfer functionality within an individual application, allowing application use yet preventing undesired inbound or outbound file transfer.

Palo Alto mode configurations

Palo Alto firewalls offer three modes to utilize in your network a. TAP Mode providing

By utilizing tap mode interfaces, the device can be connected to a core switches span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the device cannot block any harmful traffic nor can it decrypt SSL connections. This is also a method to analyze your traffic and build rules based on facts removing best-guess prior to go-live.
b. V-Wire Mode providing Using Vwire interfaces the device can be inserted into an existing topology without requiring any reallocation of network addresses or redesign of the network topology. In this mode all of the protection and decryption features of the device can be used. Will not participate in NAT or dynamic routing. c. Layer 3 Mode providing Using L3 interfaces the device can take the place of any current enterprise firewall deployment. Can also participate in NAT and dynamic routing (RIP, OSPF, and BGP)

Common methods Palo Alto firewalls are physically implemented

Typical methods of deployment

1. Full Mesh implementation where all devices are physically connected with each other supporting a more resilient network architecture

Common methods Palo Alto firewalls are physically implemented (continued)

2. Hub and Spoke/Star where multiple devices talk to back to a datacenter or headquarters and direct connectivity between nodes is not necessary. This means all traffic must past into and out of the data center or headquarters.

Policy based VPN vs. Route based VPN

A Policy Based VPN the tunnel is specified within the policy itself with an action of "IPSec". Also for policy based VPN only one policy is required. A route based VPN is created with two policies, one for inbound and another for outbound with a normal "Accept" action.

Common Reasons to use a Policy-based VPN:

* Remote VPN device is different than what you administer * Need to access only one subnet or one network at the remote site, across the VPN

Policy based VPN vs. Route based VPN (continued)

A Route Based VPN is a configuration in which the policy does not reference a specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnel interface. The tunnel interface may be bound to a VPN tunnel or to a tunnel zone. As traffic traverses the tunnel interface it is encrypted and decrypted. When a tunnel interface is in a security zone, a tunnel interface must be bound to a VPN tunnel. This is necessary in order to create a routing- based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface usually borrows the IP address from the security zone interface. Common Reasons to use a Route-based VPN: * Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur as it traverses the VPN * Overlapping Subnets/IP Addresses between the two LANs * Hub-and-spoke VPN topology

Policy based VPN vs. Route based VPN (continued)

[Continued]: Common Reasons to use a Route-based VPN: * Design requires Primary and Backup VPN * A Dynamic Routing Protocol (i.e. OSPF, RIP, BGP) is running across the VPN * Need to access multiple subnets or networks at the remote site, across the VPN

SSL VPN
Palo Alto firewall devices can support SSL VPN connectivity. There are no differences that stand out between the implementation of an SSL VPN with Palo Alto vs. Cisco, Juniper, etc. The Palo Alto disseminates a thin client via the web browser to the requesting workstation when connectivity first establishes. If the thin client is not installed the Palo Alto will attempt to send the software to end user. The software is called NetConnect and it supports IPSEC VPN vs. SSL VPN. This is important information to know when troubleshooting with the customer. Note: the versions of software Distributed by the Palo Alto are all manageable and decided by the administrator. If the thin client is not utilized to establish an IPSEC tunnel then SSL is utilized by the system as a fall back. SSL VPN must be configured in your policy to allow the functionality desired. Note: SSL VPN implementation should also include a SSL [X.509] certificate from a known and trusted certificate authority. This prevents end users from receiving a certificate error. This is to ensure the requesting browser of your identity and also ensure the end user the session is utilizing encryption.

Helpful troubleshooting information

IKE Debugging Packet Captures Used when there are proposal mismatches in Phase 1 and/or Phase 2 Can be used to see what proposals the peer is sending All debugging must be turned off when troubleshooting is complete IKE debugging writes to the ikemgr.pcap file viewable by downloading and utilizing a tool like WireShark or utilizing the built in web GUI CLI commands for enabling IKE PCAPS debug ike pcap on Activates a PCAP of all IKE traffic scp export debug-pcap Copies PCAP off of the firewall view-pcap <options> debug-pcap ikemgr.pcap Displays the PCAP in the CLI Can be used to view it in real time with the follow option

Helpful troubleshooting information (continued)

[Continued]: CLI commands for enabling IKE PCAPS debug ike pcap off Turns off packet capture debug ike pcap delete Removes the ikemgr.pcap file do this prior to starting a new capture so that data in the PCAP file is specifically for your troubleshooting effort.

Troubleshooting VPN tunnel issues show vpn tunnel Shows current tunnels displays tunnel ID in first column {TnID} show vpn flow tunnel-id {TnID} Shows detailed information on the tunnel ID specified Will display packets and bytes through the tunnel

Helpful troubleshooting information (continued)

[Continued]: Troubleshooting VPN tunnel issues show vpn tunnel Shows current tunnels displays tunnel ID in first column {TnID} show vpn flow tunnel-id {TnID} Shows detailed information on the tunnel ID specified Will display packets and bytes through the tunnel clear vpn ike-sa gateway all Tears down all tunnels and gateway Security Associations test vpn ipsec-sa tunnel <tunnel_name> Initiate Phase 1 and 2 Security Associations for specified tunnel

Helpful troubleshooting information (continued)

show system info Includes management interface settings, Up time, Serial Number, Provides Software version, and threat/application version show jobs processed Displays status of current and past jobs including: Install of PANOS, apps, and content Downloads of PANOS, apps, and content Validation of configuration Commit configuration AutoCommit on restart show job id <#> To look for a specific job and maybe to help determine why a job that was submitted failed.

Helpful troubleshooting information (continued)

show system statistics Provides current throughput and session counts [real time] show system statistics (view applications) * Press a which will reflect application statistics [real time] show log The show log command can be used for all logs Logs can be filtered Logs can be displayed with most current entries at the top

For example: show log traffic receive time in last-60-seconds For example: show log traffic receive_time in ? will display all pre-defined intervals For example: show log traffic app equal gmail will display any matches in the system log for gmail

Helpful troubleshooting information (continued)

[Continued] show log For example: show log system subtype equal vpn will display any subtype category for vpn For example: show log system opaque contains SA will display all text within the description of a system log event with SA Direction keyword changes in sort order Default is oldest log entries first but can be defined For example: show log system subtype equal general receive_time In last-15-minutes will display log entries equal to general received In the last 15 minutes. For example: show log system subtype equal general receive_time in last-15-minutes direction equal backward will display the last 15 minutes of logs in backward order. show system logdb-quota will display log space usage

Helpful troubleshooting information (continued)

show counters global will display all system counters. You can refine this command with the match and filter delta yes switches show counter interface will display logical interface counters read from the CPU of the Palo Alto Using Packet Filters with counters Packet filters can be defined to highlight specific traffic debug dataplane packet-diag set filter match <data> Counters can be viewed for traffic matching the packet filters show counter global filter packet-filter yes value non-zero

Reading Drop Counters

show counter global filter severity drop value all will display all possible drop counters. Most have a description as to why a packet was dropped.

Helpful troubleshooting information (continued)

[Continued]: Reading Drop Counters Examples of filters for severity dropped counters Flow_tcp_non_syn_drop TCP traffic did not match any existing session and was not a SYN packet Flow_parse_I4_tcpsynfin Packet contained both the SYN and FIN flag. Probably from a port scan such a NMAP Flow_fwd_I3_noroute No route found in FIB (forwarding information base // routing) for destination address Flow_ policy_nat Count not allocate NAT address. Could be out of NAT IP pool addresses

Helpful troubleshooting information (continued)

Checking Memory Usage debug dataplane pool statistics will display memory usage on the Palo Alto device. NOTE: Left column = FREE memory Right column = UTILIZED memory Showing session IDs

show session id will display session IDs on the Palo Alto. This provides information such as timeout value, shows security rule that allowed the session, and shows QoS information.
There is a Session Browser usable in the GUI of the Palo Alto. The abilities of this application are extremely powerful. Test policy commands -- provides you the ability to test policies on the Palo Alto device to ensure they function as intended.

Helpful troubleshooting information (continued)

[Continued]: Test policy commands -- provides you the ability to test policies on the Palo Alto device to ensure they function as intended.

test security-policy-match from Training to 2Corpnet source 10.30.11.50 destination 4.2.2.2 application dns will display the policy allowing the source: Training to: 2Corpnet with SRCIP: 10.30.11.50 to DSTIP: 4.2.2.2 for DNS

Rule bases you can utilize this test with: security-policy-match, cp-policy-match, ssl-policy-match, and natpolicy-match Utilizing PING ping host <IP address> ping source 10.1.1.1 host 4.2.2.2

Show system routing table Show routing route

Helpful troubleshooting information (continued)

Verification of routing test routing fib-lookup will allow you to view the (FIB) Forwarding Information Base for a particular virtual router. This will allow you to determine which destination interface is used by a particular route. Display current running configuration on Palo Alto show running will display what is in the running-configuration much like a Cisco router/switch. This can be used to view policy sets or get statistics. show running resource-monitor will display CPU statistics for all CPUs show running nat-policy displays the installed NAT rulebase show running rule-use type unused rule-base security vsys vsys1 will show unused security rules on Virtual System VSYS1 Connectivity issues can be found with PING. You can look for incomplete in log for packet count. When packet count = 1 traffic never came back. Check routing and NAT. REMEMBER you can utilize the session browser via the GUI (web) to look at traffic details as well.

Where to obtain further knowledge for Palo Alto firewalls

General information relative to Palo Alto networks http://www.paloaltonetworks.com Where to register your Palo Alto device http://support.paloaltonetworks.com KnowledgePoint https://live.paloaltonetworks.com/community/knowledgepoint Support Levels & Severity Definitions Standard Support is 24x5 4 PM Sunday Friday to 7 PM Premium Support is 24x7

Critical support cases Phone support <1 hour response time

High, Medium, Low severity Support portal

https://support.paloaltonetworks.com/pa-portal/index.php

Questions and Answers

Presentation by James Sommer, Shriram Ayyar, with help from paloaltonetworks.com, Palo Alto Networks EDU-201 & EDU301 (advanced troubleshooting), and juniper.com

HAVE A NICE DAY!